Back Up the Service Master Key

This topic describes how to back-up the Service Master key in SQL Server 2014 by using Transact-SQL. The service master key is the root of the encryption hierarchy. It should be backed up and stored in a secure, off-site location. Creating this backup should be one of the first administrative actions performed on the server.

Limitations and Restrictions

The master key must be open and, therefore, decrypted before it is backed up. If it is encrypted with the service master key, the master key does not have to be explicitly opened; however, if the master key is encrypted only with a password, it must be explicitly opened.

We recommend that you back up the master key as soon as it is created, and store the backup in a secure, off-site location.

Security

Permissions

To back-up the Service Master key

In SQL Server Management Studio, connect to the SQL Server instance containing the service master key you wish to back up.

Choose a password that will be used to encrypt the service master key on the backup medium. This password is subject to complexity checks. For more information, see Password Policy.

Obtain a removable backup medium for storing a copy of the backed-up key.

Identify an NTFS directory in which to create the backup of the key. This is where you will create the file specified in the next step. The directory should be protected with highly restrictive access control lists (ACLs).

In Object Explorer, connect to an instance of Database Engine.

On the Standard bar, click New Query.

Copy and paste the following example into the query window and click Execute.

-- Creates a backup of the "AdventureWorks2012" master key.
-- Because this master key is not encrypted by the service master key, a password must be specified when it is opened.
USE AdventureWorks2012;
GO
BACKUP SERVICE MASTER KEY TO FILE = 'c:\temp_backups\keys\service_master_ key'
ENCRYPTION BY PASSWORD = '3dH85Hhk003GHk2597gheij4';
GO

Note

The file path to the key and the key's password (if it exists) will be different than what is indicated above. Make sure that both are specific to your server and key set-up.